When I run the below command, it returns some of the grouped events, but not all of them. It will not return the most recent events.
If I change to
earliest=-1d, it returns events (more recent) than that of
earliest=-2d. I thought all events up to the current time should be returned with
-1d. In other words,
-2d should return 2 days worth,
-1d should return 1 day worth, but all events returned from
-1d should be returned with
index="personalizedoffer" earliest=-2d (XML_INPUT_LOGGER AND offerInquiryRequest) OR "EnVisionResponse version" | xmlkv | fields _time clientId | transaction clientId
To return all the events that are not part of the grouped transactions, use the attribute
.....|transactions startswith=Start endswith=Ends keeporphaned=true ....will return loose events. Also, look at the option
keepevicted=true from the same docs link.
As far as the -2d and -1d questions is concerned, are you missing any large subset of events?
Hope this helps!
Yes, it is missing the most recent events that are part of the grouped transaction. My question about -1d and -2d is that -2d should be inclusive of -1d, but appears not to be. The search is grouping events (there are only two events in a group. I want only the groups that have a duration of > 5. There are groups that meet the criteria for today and are returned with -1d, but not with -2d...make sense?
is it possible that it's returning lots of data? There is a limit on open transactions that can be returned. Please take a look at this answer